Abstract
Software Defined Networks (SDNs) have accelerated and simplified the management, configuration and error detection in today’s networking systems. However, SDN is prone to some new security threats, the most important of which is its vulnerability to a new generation of Distributed Denial of Service (DDoS) attack in which fake packets target random destinations instead of targeting a single server. In this paper, we show that the existing early detection methods such as entropy- and principal component analysis (PCA)-based methods are not sufficiently capable of detecting this type of attack. Instead, we propose a novel network traffic anomaly detection framework for tackling with DDoS in SDN. Our framework consists of four stages: first, we draw on extensive experiments on an SDN test-bed to analyze the behavior of normal and attack traffic. Second, a statistical trapezoid model is proposed to estimate the number of table misses in the controller. Third, we estimate the threshold of the table misses in regular time intervals using linear regression together with EWMA estimation. In the last stage, we use the derived model as a reference to detect DDoS attacks as anomalous deviations. The evaluation results demonstrate that using this method, one can detect DDoS attacks against an SDN-based network in its early stages, with few false positives, and regardless of the specifics of the attack.
Similar content being viewed by others
Data Availability
The data used in the paper will be available upon request.
Code Availability
The code will be available after obtaining persmission from the Yazd University.
References
Gao, D., Liu, Z., Liu, Y., Foh, C. H., Zhi, T., & Chao, H. C. (2018). Defending against packet-in messages flooding attack under sdn context. Soft Computing, 22(20), 6797–6809.
Mousavi, S. M., & St-Hilaire, M. (2018). Early detection of ddos attacks against software defined network controllers. Journal of Network and Systems Management, 26(3), 573–591.
Gupta, B., & Badve, O. P. (2017). Taxonomy of dos and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Computing and Applications, 28(12), 3655–3682.
Banitalebi Dehkordi, A., Soltanaghaei, M., & Boroujeni, F. (2021). The DDoS attacks detection through machine learning and statistical methods in SDN. Journal of Supercomputing, 77, 2383–2415.
Kalkan, K., Altay, L., Gür, G., & Alagöz, F. (2018). Jess: Joint entropy-based DDoS defense scheme in SDN. IEEE Journal on Selected Areas in Communications, 36(10), 2358–2372.
Bhushan, K., & Gupta, B. B. (2019). Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. Journal of Ambient Intelligence and Humanized Computing, 10(5), 1985–1997.
Chourishi, D., Miri, A., Milić, M., Ismaeel, S. (2015). Role-based multiple controllers for load balancing and security in SDN. In: 2015 IEEE Canada International Humanitarian Technology Conference (IHTC2015), pp 1–4. IEEE.
Kumar, P., Tripathi, M., Nehra, A., Conti, M., & Lal, C. (2018). Safety: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Transactions on Network and Service Management, 15(4), 1545–1559.
Gao, D., Liu, Z., Liu, Y., Foh, C. H., Zhi, T., & Chao, H. C. (2018). Defending against packet-in messages flooding attack under sdn context. Soft Computing, 22(20), 6797–6809.
Gupta, B., & Badve, O. P. (2017). Taxonomy of dos and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Computing and Applications, 28(12), 3655–3682.
Kalkan, K., Altay, L., Gür, G., & Alagöz, F. (2018). Jess: Joint entropy-based DDoS defense scheme in SDN. IEEE Journal on Selected Areas in Communications, 36(10), 2358–2372.
Kumar, P., Tripathi, M., Nehra, A., Conti, M., & Lal, C. (2018). Safety: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Transactions on Network and Service Management, 15(4), 1545–1559.
Li, R., Wu, B. (2020). Early detection of ddos based on \(\phi\)-entropy in SDN networks. In: 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), vol. 1, pp 731–735. IEEE.
Nugraha, M., Paramita, I., Musa, A., Choi, D., & Cho, B. (2014). Utilizing openflow and sFlow to detect and mitigate SYN flooding attack. Journal of Korea Multimedia Society, 17(8), 988–994.
Mousavi, S. M., & St-Hilaire, M. (2018). Early detection of ddos attacks against software defined network controllers. Journal of Network and Systems Management, 26(3), 573–591.
Behal, S., & Kumar, K. (2017). Detection of DDoS attacks and flash events using novel information theory metrics. Computer Networks, 116, 96–110.
Nugraha, M., Paramita, I., Musa, A., Choi, D., & Cho, B. (2014). Utilizing openflow and sFlow to detect and mitigate SYN flooding attack. Journal of Korea Multimedia Society, 17(8), 988–994.
Piedrahita, A. F. M., Rueda, S., Mattos, D. M., Duarte, O. C. M. (2015). Flowfence: A denial of service defense system for software defined networking. In: 2015 Global Information Infrastructure and Networking Symposium (GIIS), pp 1–6. IEEE.
Bhushan, K., & Gupta, B. B. (2019). Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. Journal of Ambient Intelligence and Humanized Computing, 10(5), 1985–1997.
Galeano-Brajones, J., Carmona-Murillo, J., Valenzuela-Valdés, J. F., & Luna-Valero, F. (2020). Detection and mitigation of DoS and DDoS attacks in IoT-based stateful SDN: An experimental approach. Sensors, 20(3), 816. https://doi.org/10.3390/s20030816.
Banitalebi Dehkordi, A., Soltanaghaei, M., & Boroujeni, F. (2021). The DDoS attacks detection through machine learning and statistical methods in SDN. Journal of Supercomputing, 77, 2383–2415.
AlEroud, A., & Alsmadi, I. (2017). Identifying cyber-attacks on software defined networks: An inference-based intrusion detection approach. Journal of Network and Computer Applications, 80, 152–164.
Shin, S., Yegneswaran, V., Porras, P., Gu, G. (2013). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp 413–424. ACM.
Mininet project team. (2019). http://mininet.org/
Scapy project team. (2019). https://scapy.net/
Ryu project team. (2019). Sdn framework ryu using openflow. https://osrg.github.io/ryu/
Project team, T. (2019). http://tcpreplay.appneta.com/wiki/captures.html
Wang, R., Jia, Z., Ju, L. (2015). An entropy-based distributed DDoS detection mechanism in software-defined networking. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 310–317. IEEE.
Wu, D., Li, J., Das, S. K., Wu, J., Ji, Y., Li, Z. (2018). A novel distributed denial-of-service attack detection scheme for software defined networking environments. In: 2018 IEEE International Conference on Communications (ICC), pp 1–6. IEEE.
Abdi, H., & Williams, L. J. (2010). Principal component analysis. Wiley interdisciplinary reviews: Computational statistics, 2(4), 433–459.
Acknowledgements
An earlier version of this article has been previously published in the proceedings of the 2020 6th International Conference on Web Research (ICWR), Tehran, Iran, which is made available here: https://ieeexplore.ieee.org/document/9122310. The present article is an extended version.
Funding
No funding.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
There is no conflict of interest to declare in this study.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Shohani, R.B., Mostafavi, S. & Hakami, V. A Statistical Model for Early Detection of DDoS Attacks on Random Targets in SDN. Wireless Pers Commun 120, 379–400 (2021). https://doi.org/10.1007/s11277-021-08465-5
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-021-08465-5